IPSec IKev2,RSA-Cert, PFSense <-> PFSense no NAT failed to bring net tunnel up?



  • Hallo Forum,

    after trying several combinations with NAT from Home Office (strong swan OpenSuSE, Sophos, ..) and spending several hours,
    I decided to go back to in my opinion the easiest possible setup (no NAT, both ends pfsense  2.3.2p1 RELEASE, only one Network <-> Network tunnel)

    172.30.21.0/24    PFS_A (official static IP)  <–--> PFS_B (official static IP) 172.30.11.0/24

    means "only"  ;) 172.30.21.0/24 <-> 172.30.11.0/24 tunnel where both A,B have also more such Networks (comes than later ...)

    Setup-Data:
    1.) setup Cert-CA on A + generate Server Cert, generate Client (B) certificate
        put Cert-CA.crt, Cert-B.crt,Cert-B.key on B via import certificate..
    2.) IPSec - Parameter on both ends:
          Key Exchange version:      2 (later for  Home office I need NAT ..)
          Internet Protocols:          ipv4
          Interface:                          WAN
          Remote Gateway            IP-Adress of Peer
          Authentication Method  Mutual RSA
        My identifier                      My IP-Address
        Peer identifier                  Peer IP-Address
        My Certificate                    A (Server Cert), B (Client Cert)
        Peer Certificate Authority  Cert-CA of A
        Phase 1:
        Encryption Algorithm      AES 256Bits
        Hash Algorithm                SHA256
        DH Group                        14(2048)
        Lifetime                            28800
        Disable rekey                  false
        Disable Reauth                false
        Responder Only              A (true), B (false)
        MOBIKE                            disable
        Split connections            false
        Dead Peer Detection      enabled
        Delay                                10
        Max failures                    5
        Phase 2:
        Mode                                Tunnel IPv4
        Local Network                Network A(172.30.21.0/24), B(172.30.11.0/24)
        NAT/BINAT translation none
        Remote Network            Network A(172.30.11.0/24), B(172.30.21.0/24)
        Protocol                          ESP
        Encryption Algorithms  AES 256 Bits
        Hash Algorithms          SHA256
        PFS key group              14(2048)
        Lifetime                          3600
        Advanced settings:      Everything ist disabled except of:
        Configure Unique IDs as Yes
        Auto-exclude LAN addr  true

    So if I starts the tunnel from B the Phase 1 succeeds and B also shows in the GUI that the tunnel (SPD) are setuped ...
    But A shows in their locks, that there are problems see log (reverse odering of lines....)

    Oct 17 15:06:17 charon 04[ENC] <bypasslan|1>generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
    Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>failed to establish CHILD_SA, keeping IKE_SA
    Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>traffic selectors 172.30.21.0/24|/0 === 172.30.11.0/24|/0 inacceptable
    Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>172.30.20.0/24|/0
    Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>proposing traffic selectors for other:
    Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>172.30.20.0/24|/0
    Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>proposing traffic selectors for us:
    Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>looking for a child config for 172.30.21.0/24|/0 === 172.30.11.0/24|/0
    Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>maximum IKE_SA lifetime 10510s
    Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>scheduling reauthentication in 9970s
    Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>IKE_SA bypasslan[1] state change: CONNECTING => ESTABLISHED

    And after this, the IKE_SA is not useable at all, but why B shows in the GUI everything is fine ??
    The shown Network 172.30.20.0/24 is also available on A, but nowhere be setuped for this tunnel …

    So for me the "easy" - case doen't work either ... :-[
    Pleas give me some Input to get it work, like it should ..

    Thank you</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>